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Abstract. We report a four-years experiment in teaching reasoning to 
undergraduate students, ranging from weak to gifted, using Gentzen- 
Prawitz's style natural deduction. We argue that this pedagogical ap- 
proach is a good alternative to the use of Boolean algebra for teaching 
reasoning, especially for computer scientists and formal methods prac- 
tioners. 



1 Introduction 

Logic is one of the uppermost basic ingredients of formal methods. The most 
common approach for teaching logic takes its root in the model theoretical view: 
logical connectors are seen as Boolean functions (truth tables), and then general- 
ized to quantifiers: V is like an infinite conjunction, 3 is like an infinite disjunction. 
Teaching logic along these lines is a well-established tradition. Boolean algebra 
proved efficient for solving enigmas and, much more seriously, for designing digi- 
tal circuit or automatizing the resolution of large combinatory problems (e.g. by 
reduction to SAT). In the area of hardware and of programming, they provide 
Boolean expressions and play a key role in control structures such as the if and 
while constructs, not to speak about bit-level programming. 

However, the Boolean approach is not so clearly related to usual reasoning. 
The case of implication is especially questionnable. In every day life, as well as 
in mathematics textbooks, nobody proves an implication A =>■ B by computing 
a truth table: one assumes A and then proves B under this hypothesis. 

It is even argued that logic is essentially about proofs, before being about 
truth. First we can observe that in some logics, including temporal logics and 
modal logics which have many applications in formal methods, the semantics 
of a proposition is rather more complex than an truth value - typically, it is 
described by a Kripke semantics. But even in the case of usual logics, logicians 
following Dummet, Prawitz and Schrocder-Heistcr worked on a proof-theoretic 
semantics of logic (see [11] for a recent presentation). 

Proofs can be formalized using syntactic objects described by deduction sys- 
tems. Such systems were introduced in the last century in order to study the 
meta-theory of logic. Four years ago, we decided to experiment the use of a par- 
ticular deduction system, namely Gentzen-Prawitz Natural Deduction (GPND, 
for short) for teaching purposes at an introductory undergraduate level. The 
choice of GPND is discussed below in section 2. 
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The main thesis of this paper is that GPND has a strong pedagogical inter- 
est independent from meta-theoretical considerations. First, it provides a much 
better explanation of the meaning (and even: essence) of logical connectors and 
quantifiers. A formal framework for proof writing is necessary to point out their 
mistakes in reasoning which, due to ambiguity, are always arguable in proofs 
written in natural language. Manual proof checking becomes perfectly rigourous 
- indeed it can be automatized, but this is another issue - and moreover it pro- 
vides precious hints for proof search. More technical advantages are discussed 
below in section 4.1. Though this material is especially relevant as an introduc- 
tion to formal methods, we claim that, more generally, it illustrates several key 
notions of computer science: 

— Case analysis 

— Tree-like data structures 

— Modularity 

— Divide and conquer problem solving 

— Variables and scopes 

— Rule-based formalisms (preparation to more advanced courses) 

— Good support for discussing the relation between syntax and semantics 

— Introduction to proof-assistants 

Let us add that it also provides a good help for writing rigourous and accurate 
proofs by induction. However, some pitfalls have to be avoided. The way some 
notions are introduced is sensitive, and some notations have to be carefully 
designed in order to keep manageable size of interesting proofs without loss of 
precision. 

Our thesis is supported by our experience with the use of GPND in an intro- 
ductory course on logic, given to first year undergraduate students from 2005 to 
2009. The rest of the paper is organized as follows. In Section 2, we present the 
scientific background, i.e. a short account of natural deduction. In section 3, we 
outline the contents of the course we gave since 2005. In section 4, we discuss 
some issues related to the previous experiment as well as possible extensions. 
We conclude in section 5. 

2 Background: Natural Deduction 

Natural Deduction was invented by Gerhard Gentzen [6] and further studied by 
Dag Prawitz [10] for the meta-theoretical study of first-order logic. In contrast 
with Hilbert's style deduction systems, characterized by few inference rules and 
many axioms, Gentzen's systems have only one axiom and many inference rules. 
A strong point of his approach is that each connector is considered separately, 
providing a intrisic meaning for it: intuitively, each connector * is defined by the 
canonical way to prove a formula having * as its principal connector (introduction 
rules), or to exploit a formula having * as its principal connector (elimination 
rules). The rules are recalled in figure 1. All hypotheses have a name such as h n . 
Discharged hypotheses are distinguished by square brackets around their name 
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(e.g. [h n ]), and the place where they are discharged appears in the label of the 
rule (then we know that this hypothesis is no longer available below this rule). 

The main meta-theoretical property of Gentzen's systems is the cut-elimination 
theorem saying that, basically proofs can be normalized is a way such that the 
last rule is an introduction rule for the principal connector of the conclusion 
[10,7]. Important corollaries are the subformula property (delimiting the proof 
search space) and the consistency of logic (without reference to model-theoretic 
semantics) . 

Here, we are more interested in the pedagogical value of GPND proof-trees. 
We think that it comes from their intrisic features: they are concrete, intuitive, 
and according to some logician philosophers, they reflect exactly proof objects 
(again, see [11]). The latter fact is particularly evident if one considers GPND 
proof-trees as another syntax for typed lambda-calculus, through the Curry- 
Howard-De Bruijn isomorphism [3, 8, 2] (it is not the case in another popular 
representation of natural deduction using sequents, see 4.3 for details). 

If we compare with the Boolean approach to teaching logic, proof-trees are 
certainly more complex than Boolean values but, to some respect, they look 
concrete and may be perceived as less abstract than Boolean functions. We just 
may regret that shortcuts using Boolean algebraic laws are not for free in natural 
deduction. In Boolean algebra, equivalence is the same as equality, whereas here, 
it is a congruence: we can show that if A <=4> B, then for any context C[ . ] , we have 
C[A] C[B]. The proof is by induction on the structure of contexts. It is not 
very difficult and can be understood by good students, at least for propositional 
logic, and is a good introduction to the metatheorical study of logic but we could 
not afford to present it at the level considered in our pedagogical experience. 

Fortunately, it turns out that algebraic laws are mainly useful when handling 
with large propositionnal formulas, which is not the case in our exercises. In 
places where, say, commutativity, associativity or replacement of ->A^--iB with 
B =>■ A, could be used, they can easily be bypassed. 



3 Course Outline 



The course was designed to introduce logical reasoning to students without pre- 
vious systematic exposition to logic, in order to prepare them to further courses 
on computational models, automata and languages, program specification and 
verification, formal methods, etc. Despite some basic practice in mathematics, 
many of them have gaps in dealing with proofs and even in capturing the mean- 
ing of implication and quantifiers. 

Our aim is then to provide an intuition of logical connectors and proofs 
using 1) a systematic approach based on the structure of the formula to prove, 
2) a careful and explicit treatment of quantifiers and 3) a computational data- 
structure able to implement these requirements, namely proof-trees. 
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Fig. 1. Gentzen-Prawitz Natural Deduction Rules 
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3.1 Proof Trees 

Just to start with, we assume an intuitive and rough knowledge of A, V and 
=K The first new idea to become familiar with is the notion of proof-tree. A 
difficulty with GPND is that deductions, in general, depend on hypotheses and 
that the stock of hypotheses vary when one progresses in the reading of a proof. 
We then chose to postpone this issue and to use, in the first lesson, only deduc- 
tions having no effect on available hypotheses. To this effect we could start with 
GPND rules such that A t , A E1 , A E2 , =^ E , Vn, V12. However this would break a 
systematic exposition of the rules. We therefore slightly cheat in a first stage: we 
introduce ad-hoc inference rules, relevant to the formalization of a toy reasoning, 
such as tri (transitivity of implication) and dli (disjunction on the left of an 
implication) . 

A^B B^C. TRl A^C B^C pLI 



A=>C ' (AVB)^C 

The specific rules are not important at this stage. We aim at teaching a new 
game, where the key ideas are: 

— The notion of inference rule, with premises, conclusion, and justification (a 
name used as a label for an inference rule). 

— Checking that an inference rule is correctly applied is an easy mechanical 
task. 

— A rule is actually a schema (propositional variables can be replaced with any 
proposition). 

— A proof-tree relates hypotheses (on the top) to one conclusion (at the bot- 
tom). 

— A proof-tree is built from inference rules. 

— Generalization and modularity: one can build a proof tree from subtrees. 

The last items are illustrated in a very intuitive way, using examples following 
the diagrams of figures 2 and 3, where numbers represent propositions 1 . Figure 
3 also illustrates a situation where the same hypothesis can be used several 
times 2 . The rules of the game change very quickly (from the second lesson), but 
not its shape. Actually, playing with somewhat complicated rules (involving 3 
or 4 occurrences of connectors) drives us to a quest for convincing elementary 
rules. 

Before going further, let us mention that we can name proof-trees and use 
such names as justifications for non-elementary proof steps. We introduce in this 
way derived inference rules, in advanced chapters. 



1 Technically, natural deduction distinguishes the name (here: a number) of a propo- 
sition and what the proposition stands, e.g. A A B => C V D. It may even happen 
that two different names stand for the same proposition. Of course such details are 
beyond the scope of the lesson. 

2 In general, a hypothesis can be used 0, 1 ore several times. 
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Fig. 2. Branching proof-trees together 



Kg3 



Fig. 3. Abstraction of a proof-tree 



3.2 Propositional Connectors 

Wc keep the presentation of Gentzen, where each rule deals with only one con- 
nector. In some sense, GPND rules provide a semantics to the corresponding 
connector, by explaining the canonical ways to prove and to exploit a formula 
governed by this connector. We start with A, which has the simplest rules, and 
illustrate them on a proof of B A A assuming A A B. 

The next connector (=>) is the most important for several reasons: 

— any theorem has at least one occurence of =>• (unless PEM - Principle of 
Excluded Middle - is used) : a theorem is the conclusion of a proof-tree 
where all hypotheses are discharged; 

— it is often misunderstood by students, and 

— it is the fundamental place for discussing hypotheses management. 

That said, =>e is well-known (just another name for modus-ponens) the state- 
ment of =>i is very natural, as it sticks to the common practice for proving 
A => B: suppose A, then prove B. 

The hypothesis h n mentionned in =>m n ] is said to be available in the sub- 
proof-tree concluding to B. This rule has a special interest for computer scien- 
tists, as it illustrates the notion of scope, which is here applied on hypotheses 
: the scope of an hypothesis is its availibility domain. Note that the scope is 



7 



here at the level of proof-trees. In particular, we insist on maintaining a clear 
separation, using boxes, between different sub-proof-trees equipped with their 
hypotheses, to represent scopes. 

Interesting exercises, ranging from easy to difficult, can be proposed using 
only A and =>■, or even just =>. Here are some examples - note that associates 
to the right: 

- A A B ^- B A A (very easy); 

- [(A A B) => C] => (A => B =>■ C), and conversely: intuitively, there are two 
equivalent ways to express the idea of "and if" ; 

- (A => B => C) => ((A ^B)^(A^ C)); 

- A =$> B => A (somewhat troubling); 

- (Ao (A=*-B))=>B. 

In the last one, P ^ Q is an abbreviation for (P =>■ Q) A (Q => P). It is 
basically the essence of diagonal arguments: replacing B with absurdity _L and 
the definition of -> (see below), it means that A cannot be equivalent to ->A. Here, 
the argument is developed constructively, without case analysis on A V ->A. An 
interesting challenge is to find a solution without repeating sub-proof-trees: for 
more advanced students, it illustrates the notion of cut, similar to a lemma in 
informal practice. 

We finish this part with disjunction. The two introduction rules are obvious. 
The elimination rules corresponds to case analysis and requires hypotheses man- 
agement - hence another opportunity to discuss on scopes. Note that students 
are tempted to invent a Ve rule with 2 conclusions, something like 

- y B wrong- V E 
A B 

Here we have to explain that a proof-tree with 2 (and then, in general, many) 
conclusions is a complicated beast. In some sense those conclusions should be 
handled separately (otherwise, we could deduce A A B from the previous deduc- 
tion). However, separate deductions starting from A and from B need eventually 
to be synchronized, once the same conclusion is reached. But further complica- 
tions will happen, typically if A (or B) has to be used several times. So we keep 
things simple, sticking to the shape of a tree. 

Let us mention here another challenging exercise, which requires a good un- 
derstanding of =H 

- {{A V A => C) => C) C 

It can related to the elimination of double negations, to come later. 

3.3 Quantifiers 

Before explaining the rules, a number of notions are needed on what is usually 
called a first-order language. Hoowever, a perfectly formal and rigourous presen- 
tation would be counter-productive at this level. Students have an operationncl 
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knowledge of terms made of function symbols, constants and variables. So we 
insist only on sensitive concepts: free and bound variables, their scope (at the 
level of the syntax of formulas, here), substitution of free variables. Formulas 
which differ only on the name of free variables are considered identical. The rule 
for V elimination is obvious. We choose to provide the substitution in the label: 
Ve(j ) means that the (free occurences of) variable x will be substituted with t. 
This level of precision is useful (even needed!) for students, we go back to this 
issue in section 4. 

Rule Vi raises the sensitive question of fresh variables. In the premise P(xq), 
xo stands for an arbitrary variable. What does it mean? It is easy to explain 
that "arbitrary" means "not subject to an hypothesis" or, more accurately, "not 
subject to an available hypothesis" , hence "not free in any available hypothesis" . 
We could say as well that the premise P(xo) must not be in the scope (at the 
level of proofs) of an hypothesis on xq. Mastering hypotheses handling is then 
crucial at this stage. We require students to write explicitly this side condition 
as s x FV(hi, . . . h n ) and to check it during the proof process. 

The explanations about 3e [/in] arc along the same lines. We stress that 3 
behaves like an infinite version of V. Hence it is not surprising that the structure 
of 3e is similar to Ve- But similarly as well, students tend to formalize "we know 
that 3xP(x); let xq be the witness such that P(xo)" by 

3xP(x) 

wrong-3 e 

P(x ) 

Such a rule leads very quickly to undesired consequences, as it behaves as a 
Ve(^)- Indeed, it yields 

3xP(x) 
wrong-3e 

PM v, 

Vx P(x) 

hence (3xP(xj) => (Vx P{x)). This usual error is an opportunity to discuss on 
the effect and the consequences of wrong-3e- The right 3e rule takes a situation 
where one has a proof of 3x P{x) and, from any witness xq such that P(xq), 
one can build a proof-tree V having some conclusion C, possibly using other 
premises. Then, one can infer C. Note that P(x ) may be used several times 
in V, while it is not feasible in wrong-3e- Students agree that each use of 3e 
would produce a different X{. Another important intuition is that, in Ve(^), xq 
does not come from the premise Vx P(x) it is typically given by a Vi below in 
the proof-tree - the proof is often built in a bottom-up manner, initially. This is 
to be contrasted with in 3e, where xo is a witness contained in the proof of the 
premise 3xP(x). 

At this point students are able to find proof-trees for formulas such as 
(3xVy R(x,y)) => (Vy 3xR{x,y)) and to become aware that the converse is not 
a theorem. 
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3.4 Absurd and Negation 

The absurd proposition (_L) has no introduction rule. We mention that _L cannot 
be proved in the empty context, as a corollary of the cut-elimination theorem 
(the latter is only stated, its proof is beyond the scope of our course) . 
Negation is defined by ->A M A _L. 

It is interesting to note that _L and -> can be introduced very late, after first- 
order notions. Many interesting exercises can be done without ->. In fact, we could 
delay further these connectors, after equalities and induction. A large amount 
of logic material can be developed without reference to False. For instance, it is 
the case for algebraic properties of + and x on natural numbers. 

However we decided to talk about -i at this stage in order to introduce 
classical reasoning, using either the Principle of Excluded Middle (PEM) or — >— >e- 
This is also the place for discussing about constructive reasoning - something 
which is certainly more sensitive in the framework of computer science than 
mathematics. 

Among the exercises which can be proposed at this stage, let us mention 
some puzzles such as 

- -.-.A A ^ ->— i(A A B) 

- ->-i(->-u4 V ->-*(A V B)). 

They can be proved with ->-ie, but finding a solution without this rule and 
without PEM) requires a good understanding of implication. 

3.5 Equational reasonning 

If Oi and 02 are "identical" , it is clear that everything we prove about o\ , holds 
for 02 as well. This common kind of equational reasoning, often called Leibniz's 
law, is embodied in our framework as equality elimination. We recall it in Figure 
4, together with equality introduction, which is the only general axiom about =, 
that is, equality is reflexive. It is easy to derive symmetry and transitivity of = 
from =i and =e- In principle, it is possible to present any equationnal reasoning 
as proof-trees using only =i and =e- However, it turns out quite tedious and 
lengthy. Therefore we prefer to present an equational reasoning as illustrated on 
the right hand of Figure 5. It can be shown (by induction on number of rewriting 
steps) that such a proof can be put in the proof-tree format. Implementing that 
transformation on proof-trees could be a programming exercise in a companion 
course on functional programming. This proof £i is then abstracted under the 

hi h n 

form of a multiple inference step • £.. Note that justifications used 

U = Z 

in Si can themselves refer to separate proof-trees. 

3.6 Definitions 

A very useful device for keeping proofs manageable is to use definitions. For 
instance a sub-formula such as Vx P{x) => Q(x,y) can be abbreviated as R(y), 
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t = t 



a = b P(a) 



U = Z 
where S < is 



Pip) 



Fig. 4. Rules for equality 

r (7 



Si I 



V 



{justification that U = V provided hi . . . h n } 



{justification that Y = Z provided hi . . . h n } 



Fig. 5. Equational reasoning 



provided we define R(u) Vx P{x) ^> Q{x,u). Free variables have to be 

properly taken into account. The definicndum can be freely replaced with the 
corresponding definiens and conversely. Technically speeking, in proof-theory, 
such steps are not considered as deductions, but follow from the conversion rule, 
which means that a proof-tree having A as its conclusion is a proof-tree having B 
as its conclusion, when A B or when B A (for a more general setting, we 
refer the reader to deduction modulo as defined in [4]). However, for pedagogical 
purposes, we prefer to make such steps explicit, at least at the beginning. In 
order to distinguish such steps from regular deduction steps, we present them 
using dot lines instead of plain lines. In the previous example, we could then 
write 



D A (Vx P(x) =>• Q{x,y)) V E 



fldef 



D A R{y) V E 

The reverse replacement can also be done by invoking R def. 



3.7 Set theoretic constructs 



Definitions are extensively used when dealing with set-theoretic constructs. Be- 
sides the extensionnality axiom 

- A = B ^=> (Vx, x e A^=> x e B) 
we have the following definitions: 

- A C B d|f (\/x x e A x e B) 

- x e A (IB Mx£AAx£B 

- x £ A LIB M x £ Ay x £ B 

- x £ M _L 

- x £ {a} M x = a 
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— x G {ai, . . . a„} ^ x = ai V ... V 2; = a„ 
-AG -P(B) d£f A C B 

From these definitions we prove convenient derived rules, given in Figure 6. 
From an epistemological point of view, students get a taste on mathematical 
foundations: relying on a solid basis to define new objects and some convenient 
abstract rules to reason about. 



M [n] [m] 

x £ A x € A x € B 



xeB x € A A<ZB xeB xeA 

5-lV t C[n] = CVb^e 



AC B x £ B A = B 

x G A x G B x G A n B x £ AnB 

^^^^^^^^^^^^= A : n ^^^=^^^= nA E i ^^^=^^^= nA E2 



x e AllB x £ A x G B 

[n] [m] 

x e A x e B 



x € A xeB xeA\jB P P 

^=^= V H U ^=^= V I2U ^^^^=^=^^^^^^= UV E [n, m ] 



x e AuB x e AuB P 

Fig. 6. Derived rules for set-theoretic notations 



3.8 Induction 

The usual induction principle is formalized by the following deduction rule: 



P(0) Vn P(n) => P(S(n)) 

nat-rcc 



Vn P(n) 

We also provide Peano axioms and then can propose exercises on elementary 
algebraic properties of addition and multiplication. 

■ +o +s 



Vn n + = n Vn Vra n + S(m) = S(n + m) 



xo xS 



Vn n x = Vn Vrn n x S(m) = (n x to) + n 
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Predicates < and < can be denned by m < n *M 3 k n = k + m and m < n M 
S(m) < n. Then we can derive "strong" (or noethcrian) induction on natural 
numbers: 

Vn (Vm m < n => P(m)) P(n) 

strong nat — rcc 

Vn P(n) 

A natural extension is to work on structural induction on ML-style lists or 
binary trees. 

3.9 Example 

In order to illustrate the above ideas, we consider the example depicted in Figure 
7, which is a typical examination problem. In order to simplify notations, we do 
not type variables, but we want to emphasize that n is a natural variable (hence 
we can apply inductive reasoning over it). Also, for sake of simplicity, we start 
by defining some predicates. Hence, predicate Hi states that everybody has a 
father. Predicates Hi states that everybody is its own 0-ancestor, and predicate 
H3 states that the n + 1-ancestor is defined as the father of the n-ancestor. We 
want to prove that for any n £ N, everybody has an n-ancestor, that is, for 
any n € N, the property Q(n) holds. The way we teach this example is the 
following one. First, we remark that we want to prove some statement, without 
any additional hypothesis. Fortunately, the goal corresponds to an implication. 
Hence, it suffices to prove the right part, admitting the left part as an hypothesis. 
Formally, this corresponds to an aplication of an =>/ rule. We continue this 
bottom-up proof by applying the rule =4>j twice again. Now, we face a property 
of the kind Vn ... where n is a variable ranging over naturals, so we can apply 
induction. The next goal is split into two other sub-goals. Here, we can see the 
manner we compose proofs, for example the tree T\ can be proved separately, 
and then it can be plugged in the overall proof. But we have to pay attention to 
the hypothesis that remain active at the end of the proof T\. Other interesting 
points are the way we unfold definitions, and the use of equational reasoning. 

4 Pedagogical Issues and Assessment 

4.1 Technical Advantages of GPND for Teaching Logic 

We already mentionned that GPND proof-trees reflect usual reasoning much 
better than the truth-table approach. This is especially clear on implication. 
The fact that the rules for => and for A look completely different is a chance, as 
it helps beginners not to confuse between these two connectors. 

A very interesting point, from a pedagogical perspective, is that proof trees 
allow us to point out errors with accuracy. It occurs quite often that some student 
comes with rough and obscure ideas and still believes that his argument is good. 
It is much more difficult to show him where are his mistakes on informal or 
semi-formal writings than on proof trees. If a rule is wrongly applied, we can 
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Let us note Q(n) ig \>x 3y y = A(n,x), Hi ig Vx 3y y = F(x), H 2 ^ f Vx x = A(0,x), 
H 3 iL f Vn \/x F(A(n, x)) = A(S(n), x). 



[2] 

H 2 



Vx x = A(0, x) 
xo = A(0, x ) 
3yy = A(0,x o ) 
Mx 3 y y = A(0, xq) 

Q(0) 



H 2 dot 



■ Vi 



Qdof 



[1] 
Hi 



[3] 

H 3 



Vm Q(m) => Q(S(m)) 



: Ti 



Vn Q(r. 



Vn Vz 3 y y — A(n, x) 
H3 ^> (Vn Vx 3 y y — A(n, x)) 
H 2 => (H 3 => (Vn Vx3yy = A{n, x))) 



Hi => ((£T 2 => (H 3 => (Vn Va; 3 y y = A{n, x)))) 



where the tree T\ is 



[ei] 



e 2 ] 



<2(mo) 



Hi 



\fx 3y y — A(mo, x) 
3y y = A(mo,x ) 



Q dot 



Vz 3 y y — F(x) 
3 V V - F(vi) 



H-i dof 

v E <^) 



yi = A(m ,x ),y2 = F(yi), H 3 
j/2 = A(S(mo),x ) 



3y y = A(S(m ),xa) 



: d 



3 B [e 2 ] 



3y y = A(S(mo),x ) 



3 E [=l] 



y = A(s(m a ),x ) 

V21 3 3/ y = A(S(mo), x) 
Q(S(m )) 
Q(m )^Q(5(m )) 
Vm Q(m) => Q(S(m)) 



- Vi 

■ Qdof 
j [firec] 



and X>i is 



yi 

{hypothesis 62} 

F(yi) 

{hypothesis ei } 
F(A(m ,x )) 

{H 3 by hypothesis 3, with V E and V E } 

A(S(rao), xa) 



Fig. 7. Example "Everybody has n-ancestors" 
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first say "this does not conform to the you Law, on which we agreed" and may 
add: "if your rule was right, you would get this or that undesired consequence". 
This turns out quite convincing with all kind of students. Here are some typical 
errors that can be pointed out in GPND proof style: 

— Incorrect use of a deduction rule (especially Ve). 

— Violation of the scope of an hypothesis (for instance, a hypothesis available 
in a branch of a case analysis is used in the other branch). 

— Violation of the side condition of 3e or Vi , using a "convenient" choice for 
3x or Va; instead of a fresh variable. 

— Exploiting an implication, or a rule, without proving its premises. 

Such errors correspond to typical wrong reasoning written informally. 

Another benefit is that GPND enforces a precise understanding of the dis- 
tinction between available and discharged hypotheses. This is particularly im- 
portant for a rigorous treatment of quantifiers and of inductions, especially when 
we they are embedded. It is sometimes crucial, when proving a property of the 
form Vn Vrn P(n, m) by induction on n, that the inductive property Vra P(n, m) 
remains universally quantified, because the m we need for S(n) may come from 
a different value in the induction hypothesis. A well-known example, among 
others, is the proof of strong induction using basic induction on the property 
Vm m < n^> P(m). 

Let us now mention a number of issues showing the relevance of the GPND 
approach to computer science, including formal methods. 

Case analysis. The elimination rule for V states exactly how a disjunctive piece 
of information can be exploited. This is clearly related to algorithmic constructs 
such if. . . then. . . else. . . , case. . . of . . . , switch. . . 

Tree-like data structures. Trees are a ubiquitous concept in computer sci- 
ence. Their handling is intuitive. Here is an opportunity to introduce and ma- 
nipulate them at an abstract level, without reference to an implementation. 

Modularity. Even middle-size proofs cannot be displayed using a monolithic 
proof-tree on a single sheet of paper. Structuring a proof in sub-trees with a 
clear interface allows one to handle this issue. Here, the interface is defined by 
the set of hypotheses and the conclusion. 

Problem solving. Faced to proving a goal from given hypotheses, many steps 
can be carried out just by examining the form of the formulas at hand. If the 
conclusion is among the hypotheses, we are done. Else, if the conclusion is not 
atomic, it can be decomposed along a divide-and-conquer approach, using an 
introduction rule. However, some of them (Vn, V12 and 3i) are dangerous as they 
may drive into a dead end We warn the students to postpone as far as possible 
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the use of these rules. These are the places where thinking on the contents of 
hypotheses and creativity are needed. This method can be carried out in parallel 
on the corresponding informal reasoning. 

Variables and scope. It is clear that the notions of free, bound variables with 
their scopes are developed when introducing the syntax of first-order formulas. 
Admittedly, this comes from formal logic, not specifically GPND. Looking at 
programming languages, logic variables are closer to the concept to be found in 
the functionnal paradigm than in the imperative paradigm. 

What is more specific to GPND is that scopes are also related to hypotheses, 
more exactly names of hypotheses: the scope of an hypothesis is the largest sub- 
treee where it is available (still not discharged). One can even speak about local 
and global hypotheses. Scopes are then discussed already in the framework of 
propositional logic. 

Rule-based formalisms. Many formalisms used in computer science a rule- 
based presentation: typing systems, operational semantics, etc. Studying GPND 
is then a good training in order to prepare more advanced courses. 

Introduction to proof assistants. In the area of formal methods and soft- 
ware verification, well-recognized proof assistants such as Coq [12, 1] and Is- 
abelle/HOL [9] are available and commonly used. Their theoretic foundations 
are logic systems quite close to GPND. 

4.2 Pedagogical Issues and pitfalls 

A number of pedagogical issues have to be taken into account, in order to make 
GPND an efficient tool for teaching. 

We already mentioned that proof trees allow us to point out mistakes with 
accuracy. To this effect, we insist that justifications (labels used in deduction 
steps) are mandatory: often students suffer from a lack of precise ideas on what 
their arc really doing, or at least from a poor ability to communicate their 
arguments. In this spirit we tend to demand more than what is generally given 
in textbooks. For instance, the elimination rule for V makes explicit the term t 
to be substituted to the quantified variable x: Ve(j )• 

There is a pedagogical issue with implication: in GPND, it is impossible 3 to 
get a theorem without using =>i. Hence we have to consider hypothesis manage- 
ment very early. As explained in 3.1, we fix this issue by temporary considering 
fake rules such as tri and DLL A drawback is that some students tend to think 
that any rule is good, provided it looks plausible. So we have to insist heavily, 

3 At least for intuitionistic logic. But it is clear that PEM cannot be exploited without 
hypothesis management, except if the conclusion is just an instance of A V —>A. For 
example, all theorems of the form V Q, where Q can be deduced from P, are 
proved by case analysis on P V ->P, i.e. using Ve- 
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from the beginning, that tri and so on should be forgotten and that the right 
rules are coming. A complementary approach is to work on deductions under 
hypotheses with simple rules such as =>e Ve and rules for A. In fact we let 
students discover these rules in the first exercise session. 

We already mentionned some wrong attempts about Ve and 3e, respectively 
in 3.2 and 3.3. How to deal with space consuming proofs was considered from the 
beginning (3.1), through modularity, and using a special notation for equational 
reasoning (see 3.5). 

4.3 An alternative to GPND: sequents 

Natural deduction can be presented in terms of sequents r h C, where r is 
a multiset of formulas and C a formula, whose intuitive meaning is "given the 
conjunction of hypotheses in r, the conclusion C holds". Rules have several 
sequents as premises and a sequent A formula A is a theorem if the sequent 
h A can be derived. A proof tree is a tree labelled as follows: leaves are labelled 
by axioms, i.e. sequents _T h C where C £ r. Although this approach may 
be prefered for the meta-theoretical study of natural deduction [5], it puts the 
emphasis more on provability than on proofs. 

Note that, from a pedagogical perspective, the sequent based presentation is 
closer to inference systems used for typing or structured operational semantics. 
But it is a bit far from the objectives of an introductory course to logic. Moreover, 
once somebody is familiar with a deduction system, it is reasonnable to expect 
that she or he can easily move to another presentation of it or to another inference 
system. 

4.4 Assessment 

This course was given to an audience of 150 to 200 students per year, with 
the following rythm: one lecture (lh30) and one exercise class (lh30) per week, 
during 11 weeks. About 3 weeks are needed for discovering proof-trees, the 3 first 
propositionnal connectors; then another 3 weeks for quantifiers and negation; 
the next 3 weeks are devoted to set-theoretic notions ans the last 2 weeks to 
induction. 

The course got a good ranking from the students, which is quite satisfactory 
since most of the material is new for them. It turns out that they like to play with 
trees. However, our main goal in introducing formal proofs as a first year course 
was to improve the ability of students in reasoning beyond the formal framework 
of GPND, that is detecting wrong deduction and convincing proof in natural 
language. We brought students from approximate reasoning in natural language 
to formal proofs, and we expected them to do the opposite by themselves. After 
four years we had to admit that we partially failed. Indeed, some students were 
still handicapped when asked to prove a statements in natural language whereas 
they were perfectly able to build the proof tree in GPND style. This observation 
brought us to the conclusion that we need more time transferring the lessons 
learned in GPND back to the free reasoning. This includes proof guidelines: how 
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to decompose a statement to proof into subgoals, how to find the hypothesis 
and what should finally be proved and how a proof tree can be told as an 
argumentative discourse. On this last point we plan to extend the teaching with 
a project - in collaboration with a course on functional programming - that 
consists in a systematic translation of a GPND proof tree into a reasoning in 
natural language. 

We are anyway convinced that working on proof-trees help students to get a 
more structured mind. In order to strengthen the work done so far, connections 
have to be established with other courses given in second year on logic, automata 
and languages, proofs and algorithmics. Students happen to ask for building 
proof-trees 2 or 3 years later. When one of them is stuck at the beginning of 
a proof, suggesting her or him to start a proof-tree turns out quite helpful. On 
the teaching side, colleagues have to be convinced that our approach is good 
and can be reused to some extent. We are confident that progress will be done 
in this direction, because our teaching team became quite enthusiastic, though 
most teachers discovered natural deduction in this course. 

5 Conclusion 

We advocated that GPND is the good way to introduce logic to beginners, at 
least for students in computer science. Everybody gets a chance to better un- 
derstand what is a reasoning and to improve her or his reasoning abilities. What 
about other scholars ? It is often advocated that computer science should be 
taught much earlier in the curriculum, notably in the highschool. Computer 
scientists should contribute to this chapter of mathematics. In particular, proof- 
trees are simple to understand and funny. They require no mathematical back- 
ground. Wc think that they could be introduced at the highschool, at least for 
propositional logic, thus helping scholars in their scientific activities. 

Let us finish with some perspectives. We limited ourselves to a pencil and pa- 
per approach, mainly because we didn't have enough time slots to do otherwise. 
We plan to use a proof assistant in a next version of the course. However, wc 
will have to take care of the danger of button-pushing: existing proof assistants 
are good at helping the user to find proofs and to automatize tedious tasks. 
Hoawever we want here the user to be aware of the elementary deduction steps. 
In a pedagogical use, a proof-assistant should just be used as a proof checker. 
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